IP Security (IPsec) is a security architecture for internet protocol (IP) that includes a set of protocols developed by the Internet Engineering Task Force (IETF) to support secure exchange of packets at the IP layer. IPsec provides security services by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. IPsec uses two protocols to provide traffic security: Authentication Header (AH) and Encapsulating Security Payload (ESP). For IPsec to work, the sending and receiving devices typically share a public key which is handled through the Internet Security Association and Key Management Protocol (ISAKMP).
A Security Association (SA) is a security-protocol-specific set of parameters that completely defines the services and mechanisms necessary to protect traffic at that security protocol location. These parameters typically include algorithm identifiers, modes, cryptographic keys, etc. An SA is often referred to by its associated security protocol (for example, “ISAKMP SA”, “ESP SA”).
At the initiation of a secure connection between two network elements, they must first negotiate an ISAKMP SA to protect their further negotiations. This ISAKMP SA is then used in negotiating Protocol SA's. During the negotiation and establishment of Protocol SA's, a security parameter index (SPI) is generated for each SA. The negotiated SA's are typically stored in a security association database (SAD), and an SPI is used together with a destination IP address and a security protocol to uniquely identify an SA. Another database typically maintained by an IPsec-enabled element is a security policy database (SPD) which specifies the policies concerning disposition of all IP packets. Each IPsec-enabled interface typically maintains separate inbound and outbound databases (SPD and SAD).
In a wireless local area network (WLAN), which has become more and more popular, it is not uncommon for a mobile user to roam among different subnets or from one geographic area to another using different IP addresses. It has become increasingly desirable to support the ability of maintaining secure connections without loss of data while a mobile client experiences a change of IP address. However, current IPsec architecture does not support such an IP address change without terminating the old connection and re-establishing a new one. As a result, a roaming client would encounter inevitable network service disruptions, which is not only inconvenient for the client but also burdensome for the network due to overhead costs from repeated security negotiations.
One solution to the loss-of-connection problem is to adopt Mobile IP in an IPsec implementation. With this solution, a mobile client is assigned a relatively permanent Mobile IP address in its home network. When roaming into a foreign network, the client obtains a care-of IP address from a foreign agent and communicates with the rest of the world through the foreign agent. As shown in FIG. 1, when it roams from Network 1 to Network 2, the mobile client has to maintain double tunneling to the Security Server in order not to lose connection. Mobile IP with double tunneling is highly inefficient and can be especially problematic for a resource-limited mobile unit. In addition, it takes considerable development effort to implement Mobile IP.
In view of the foregoing, it would be desirable to provide a mobility solution which overcomes the above-described inadequacies and shortcomings.